Quantum Readiness Strategies for Working Groups

I've given talks about Post Quantum Cryptography the past few years and pretty much everyone has appreciated the heads up, for those that haven't made it to a talk here are the highlights of what you need to do to prepare for Quantum Computers. 1) Build organizational readiness: • Educate and align the C-suite on the urgency of quantum risk and make the business case for a multi-year investment, i.e. get budget. • Identify personnel responsible for migration execution across different teams, i.e. assign a point person for this project. 2) Discover what you have and assess if the systems are ready: • Get an inventory of you hardware and software assets to identify encryption protocols and categorize them (PQ ready, depreciated, really old). • Assess whether hardware assets have sufficient compute to support PQC algorithms (most systems will but the OS might not be ready) • Figure out which systems will require upgrades or replacements. • Identify vendors and partners that you use and discuss their PQC roadmaps, migration support capabilities. [This one is key, talk to your vendors, find out what they are doing, or not doing!] 3) Begin getting Quantum ready • Buy the hardware / software and replace or upgrade whatever does not support PQ cryptography • Test things! Run proof-of-concept deployments in controlled environments (i.e. your test environment) and use a hybrid approach that combine current and post-quantum algorithms. 4) Deploy Quantum ready solutions • Roll out your solutions / new hardware & software in phases, starting with your high priority systems (Duh). • Ensure configurations enforce quantum-safe algorithms by default and automatically block deprecated algorithms when possible (this will be harder than you might think). • Update your security policies to manage both current and quantum-safe network traffic as you transition. • For the old stuff you can't get rid of, use proxy solutions to make IoT devices (like hospitals, manufacturing, etc.) quantum-ready until they can be updated directly. Last but not least, be prepared to change encryption schemes going forward, what we call, Crypto Agility. 5) Keep patching your stuff • Now that you have a list of your hardware and software and what kind of encryption is uses, do this: • Monitor your inventory for vulnerabilities or new threats. Keep in mind that PQ standards are new and they will likely change over time. • Establish a process to replace or update vulnerable algorithms There, you've now just read my talk, but you missed all my jokes and fun stories, but you got the details / important take aways. 😃 😁 😀 If you want the Internal Control Questionnaire (#ICQ) I put together for some auditor friends, message me here and I'll send it to you.

Quantum computing is advancing rapidly, bringing unprecedented processing power that threatens traditional encryption methods. The "collect now, decrypt later" strategy underscores the urgency of preparation, adversaries are already harvesting encrypted data with the intent to decrypt it once large-scale quantum computers become viable. Fortinet is leading the way in quantum-safe security, integrating NIST PQC algorithms, including CRYSTALS-KYBER, into FortiOS to safeguard data from future quantum-based attacks. "A recent real-world demonstration by JPMorgan Chase (JPMC) showcased quantum-safe high-speed 100 Gbps site-to-site IPsec tunnels secured using QKD. The test was conducted between two JPMC data centers in Singapore, covering over 46 km of telecom fiber, and achieved 45 days of continuous operation." "The network leveraged QKD vendor ID Quantique for the quantum key exchange, Fortinet’s FortiGate 4201F for network encryption, and FortiTester for performance measurement." This is not just a theoretical concern, organizations are already deploying quantum-safe encryption solutions. As quantum computing capabilities advance, organizations must adopt quantum-resistant security architectures and take proactive steps now to safeguard their sensitive information against future quantum-enabled attacks. These proactive methods include: -adopting hybrid cryptographic approaches, combining classical and PQC algorithms, ensuring interoperability and a phased transition -implementing crypto-agile architectures, for seamless updates to encryption mechanisms as new quantum-resistant standards emerge -leveraging PQC capable HSMs and TPMs -evaluating network security architectures, such as ZTNA models -ensuring authentication and access controls are resistant to quantum threats. -identifying mission-critical and long-lived data, that must remain secure for decades. -implementing sensitivity-based classification, determine which datasets require the highest level of post-quantum protection. -conducting risk assessments to evaluate data exposure, storage locations, and current encryption standards. -transitioning to quantum-resistant encryption algorithms recommended by NIST’s PQC standardization efforts. -establishing data-at-rest and data-in-transit encryption policies, mandate use of PQC algorithms as they become available. -strengthening key management practices -developing GRC frameworks ensuring adherence to post-quantum security. -implementing continuous cryptographic monitoring to detect and phase out vulnerable encryption methods. -enforcing regulatory compliance by aligning with emerging PQC standards. -establishing incident response plans to handle quantum-driven cryptographic threats proactively. Fortinet remains committed to pioneering quantum-safe encryption solutions, enabling organizations to stay ahead of emerging cryptographic threats. Read more from Dr. Carl Windsor, Fortinet’s CISO!

Bank for International Settlements – BIS has published "Quantum-readiness for the financial system: a roadmap" The document counts with well-known experts as co-authors: Raphael Auer, Andras Valko (BIS), Angela Dupont (BIS and Banque de France), Maryam Haghighi, Danica Marsden (Bank of Canada), Sarah McCarthy (University of Waterloo) , Donna F. Dodson, and Nicolas Margaine. It provides a comprehensive overview of the #QuantumSafety topic and how it applies to the financial sector systemically and to financial organizations individually. It is useful and insightful, including the most mature thought leadership. Some highlights on general messages: 👉 Trust in the financial system is fundamentally tied to the trust provided by cryptography. 👉 Implementation challenges require coordinated planning and bring an opportunity to build more resilient infrastuctures. 👉 In line with the Canadian roadmap, it emphasizes implementing robust governance structures. 👉 It recommends the implemantation of crypto-agility, understood as per the definition created by the FS-ISAC PQC WG (https://lnkd.in/dgzW_rn8). On "A systemic roadmap": 👉 The document underlines the need for a coordinated and proactive action plan by central banks, supervisory authorities and financial institutions around the world. 👉 Warns about the risk of dual-speed transitions: "In the absence of coordination, actors that are not adequately protected against the quantum threat could become weak links, impacting the security of the entire financial system." 👉 While not suggesting a timeline, the document calls for global alignment: "During the planning phase participants in the financial system translate the jointly agreed priorities and requirements into a system-level migration timeline and a set of common technical choices". 👉 It also recommends protections against the doom of backwards compatibility: "a cut-off date for phasing out legacy cryptographic protocols needs to be approved by all organisations that use those protocols". 👉 And covers the importance of cross-border alignment: "domestic plans need to be aligned with transition plans in other jurisdictions and in cross-border systems, such as multi-currency payment and settlement infrastructures". On organizations' roadmaps: 👉 Underlines the need to appoint an executive leader responsible for driving the programme. 👉 "Forming a dedicated, cross-functional team is essential in this initial phase. This team should include representatives from technology, legal, human resources, finance, operations and security departments". On responsibilities: 👉 "Central banks, as pivotal entities in the global financial system, are well positioned to support and lead the way to increased resilience. [...] Central banks can promote a proactive, systemic approach and help create the alignment necessary for coordinated action across the global financial system". https://lnkd.in/dU4fS4TX

Last week, Ethereum announced it is forming a post-quantum working group because they can read the room: cryptography isn’t a “future upgrade,” it’s a ticking dependency and a grown-up admission that digital trust has a shelf life. In 𝑵𝒐𝒘 𝑾𝒉𝒂𝒕? I called this the Big Crunch: the moment quantum collapses the economics of breaking today’s public-key cryptography. Unlike Y2K, this isn’t a bug you patch. It’s a global migration you either start early or you finish in panic. And timelines are already wobbling, Google research from 2025 suggested breaking RSA could need 20x fewer qubits than previously thought of. Unfortunately, most leaders treat quantum like a storm on the horizon: “interesting, but not today.” That’s a mistake. Attackers can already copy encrypted traffic and files now, store it, and unlock it later when quantum tools get good enough. That’s not theory. It’s a rational investment strategy from an adversary's perspective. And if a major system ever gets quietly cracked, you won’t hear about it when it happens. You’ll hear about it after someone has made money from it. After all, the incentives reward silence; think Enigma, but automated, monetized and at scale. The smart path is boring, but effective: start upgrading before the break, and form working groups like Ethereum to start today. It also means running hybrid encryption, today’s algorithms paired with post-quantum ones, across the places where trust lives: web connections (TLS), logins and identity, enterprise software, key management and HSMs, cloud services, and blockchain signatures. Do it early and you turn a cliff-edge event into a controlled rollout. Wait too long and it’s not just your future data at risk, old encrypted backups, archived emails, contracts, customer records, IP can become readable years later. In other words: you don’t just lose security going forward. You lose your history.

Most quantum boardroom conversations end without an agenda. They end with a posture — "we're monitoring quantum developments," "we're taking it seriously". Neither statement produces a plan. The distinction matters because quantum creates three problem classes, each with a different urgency and a different cost of inaction. A generic posture misaddresses all three at once. The right response, for most leadership teams, has three parts. The first is to defend now. Post-quantum cryptography belongs on the enterprise risk agenda as a current priority. That means building visibility into cryptographic dependencies across the enterprise, identifying migration priorities, and mapping third-party exposure. This is the part of the quantum agenda that cannot wait. The second is to explore selectively. Most leadership teams do not need a wide portfolio of quantum pilots. They need a small number of focused efforts on high-value problems where the workload aligns with quantum's actual strengths — evaluated against the strongest available classical alternative. Each effort should be a targeted test: one specific problem, one clear classical benchmark, one honest evaluation. The third is to build options. For companies in simulation-relevant sectors — pharmaceuticals, advanced materials, energy — the right posture is modest investment in partnerships and early hardware collaborations. The goal is R&D workflows that are ready to integrate quantum subroutines when the technology matures. The companies that benefit most will not necessarily be those spending the most today. They will be the ones best positioned to move when the moment arrives. The most common failure on quantum is conflating the urgency of the three classes — treating all three as equally distant or equally immediate, when each has a different clock running. The organizations that get this right understand early which problem classes matter to their business, which ones to set aside, and what the distinction demands of them starting Monday morning. https://lnkd.in/gkymW7Xm

We just hit 10,000 downloads of my free PQC (post-quantum cryptography) Migration Framework. The most common feedback surprised me. It wasn't "thanks for the resource" or "interesting…" From the people in my network who reached out, the most common response was some version of: "we have to redo our entire quantum security strategy." I've now gotten enough direct feedback to say this is the best empirical data I have for something I suspected - most organizations started thinking about PQC migration this year, but they're working from incomplete mental models of what migration actually requires. A checklist that says "swap RSA for ML-KEM" does not capture the complexity of enterprise-wide quantum readiness program. The PQC Migration Framework (https://pqcframework.com) is free, open-source (CC BY 4.0), and built from what I've learned working across critical infrastructure, financial services, and defense - environments where getting this wrong has consequences that go beyond compliance findings. What it covers that most internal efforts miss: - Cryptographic discovery that goes beyond certificate inventories - hardcoded keys, embedded protocols, third-party dependencies. And Minimum Viable CBOM model - you don't need 100% inventory to start migrating (you can’t even achieve it). - Immediate classical security value - the same inventory that finds quantum-vulnerable RSA also surfaces deprecated TLS 1.0/1.1, weak keys, expired certs, and hardcoded secrets. - Vendor dependency as the real critical path - most PQC timelines are most constrained by vendor GA dates. The framework includes procurement clauses, bridging patterns, and escalation playbooks for when vendors miss commitments. - Hybrid deployment strategies that don't break existing interoperability (but can still introduce new different vulnerabilities and operational overhead if you're not careful) - Governance structures that treat PQC migration as a multi-year program, not a one-off project - and many other points... If your organization has started its quantum readiness journey, or thinks it has, stress-test your approach against the framework. The teams that had to restart weren't behind. They were just working from assumptions that didn't hold up. The framework is completely free. No registration, no email gate, no "request a demo" - just a direct download. https://pqcframework.com #pqc #postquantum #quantumsecurity #quantumreadiness

Today is World Quantum Day. The industry will celebrate. Hardware milestones. Investment records. Physics breakthroughs. Here's what nobody will tell the advanced manufacturers: The quantum economy hit $1.45 billion in revenue last year. Governments have committed over $3 billion in public investment. Private capital added another $2.6 billion. There are more than 7,400 quantum-related job openings globally. And the vast majority of industrial manufacturers have done nothing. Not because the threat isn't real. Not because the opportunity doesn't exist. Because nobody has given them a clear economic framework for what to do first, in what order, and why. So here it is, the three actions that actually matter for industrial executives this year: 1. Audit your cryptographic exposure now. If your organization holds sensitive IP, long-lived contracts, or operational technology connected to external networks, your data is already being collected. The threat is present-tense, not future-tense. 2. Stop waiting for the hardware to mature before building governance. The main risk in 2026 is misallocation, not missing out. The danger is not that you failed to adopt quantum fast enough, it's that you spent years on unfocused pilots driven by vendor hype, while competitors targeted a few high-value use cases and moved on. 3. Separate quantum utility from quantum advantage. Hybrid quantum-classical optimization for scheduling, logistics, and supply chain is deployable today. Fault-tolerant quantum computing is not. Know the difference before a vendor tells you otherwise. The biggest risk in quantum isn't being late. It's being early without leadership. I'm writing this from Washington DC today (excited for the day ahead) on this World Quantum Day, where the incredible cherry blossoms were just at peak bloom along the Tidal Basin. They're stunning. They're also gone in about two weeks. Miss the window, by even a few days, and you're looking at trees wondering what all the fuss was about. Quantum readiness works the same way. The organizations building governance and cryptographic posture now (before commercial pressure forces rushed decisions) will be positioned to capture the value. Those that wait for perfect clarity will be making permanent commitments under deadline, to the vendor standing in front of them. The window is open. It won't stay that way. Happy World Quantum Day 2026! #WorldQuantumDay #QuantumLeadership #IndustrialManufacturing #QuantumSecurity #QEDC #AdvancedManufacturing

** Israel Introduces New Quantum Security Regulation for the Public Sector ** Regulators and governments are taking quantum risk seriously, and Israel is now joining the U.S. in setting clear guidelines for public sector readiness. The newly issued directive requires government agencies to assess cryptographic vulnerabilities and transition to post-quantum encryption (PQC). This isn’t just a technical upgrade—it’s a compliance and risk management priority. Key Takeaways: 🔹 The quantum threat is on a clear timeline—Gartner predicts that cryptography based on RSA and ECC will not be secure by 2029, making migration to quantum-safe cryptography urgent. 🔹 Proper planning now will be far cheaper than reacting to a breach later—waiting increases risk and costs. 🔹 Organizations must take a structured approach, starting with in-depth cryptographic discovery, planning for migration, and securing budget allocations. Action Needed: ✅ Identify and assess cryptographic vulnerabilities—Conduct a comprehensive mapping of encryption methods, identifying systems at risk and prioritizing sensitive data. ✅ Ensure third-party compliance—Any new contracts with vendors must include requirements for post-quantum cryptographic support and crypto-agility. ✅ Plan for migration—Define a clear transition strategy aligned with emerging NIST PQC standards, ensuring seamless implementation with minimal operational disruption. ✅ Allocate budget and resources—Invest in proactive risk mitigation, as early preparation is significantly cheaper than post-breach remediation. ✅ Follow national and international guidelines—Align with recommendations from Israel’s cybersecurity authorities and global PQC initiatives to stay ahead of evolving threats. The full directive (in Hebrew) can be found here: https://lnkd.in/evVFu3t7 Currently, there is no official English translation available. The cost of preparation today is far lower than the cost of reacting too late. Are you taking the necessary steps to be quantum-secure? #QuantumComputing #QuantumCyberReadiness #Cybersecurity #PQC #PostQuantum #DigitalSecurity #Encryption #CyberResilience Colin Soutar Isaac K. Marc Verdonk Niels van de Vorle Casper Stap Emily Mossburg Julie Gleeson Rita Gatt Lior Kalev Shahar NEVO Sharon Dan Irence Wee Venkat Paruchuri